Multi-factor authentication techniques in ADSelfService Plus
Let's take a look into the various multi-factor authentication techniques supported by ADSelfService Plus.
Why multi-factor authentication?
Securing user accounts using only usernames and passwords is no longer a secure option. Password authentication makes user accounts easy prey to threats like brute-force and dictionary attacks. To mitigate such security risks, ADSelfService Plus verifies users' identities using multi-factor authentication. ADSelfService Plus uses multi-factor authentication for identity verification during:
Various authentication techniques available in ADSelfService Plus
- Security questions and answers: This method consists of a predefined set of personal questions such as "What is your favorite color?" These questions can be configured by administrators or users. Users can enroll by either defining custom questions and answers, or providing answers to administrator-defined questions. They have to provide the correct answer to these questions during identity verification.
- SMS-based verification code>: For this method, users have to enter a one-time code sent to their mobile device to verify their identity. Administrators can either choose the mobile number from the users' Active Directory profiles, or let the users specify another number while enrolling.
- Email-based verification code: In this method, a one-time code is sent to the user's email address. Administrators can either choose the email address from the users' Active Directory profiles, or let the users specify another email address while enrolling.
- Google Authenticator: Google Authenticator is an app that uses timed codes for authentication. To verify user identity, the app generates a timed code that the users will have to enter to authenticate themselves. Users have to enroll by using the app to scan the QR-code displayed under the Enrollment tab in the ADSelfService end-user portal.
- Microsoft Authenticator: The Microsoft Authenticator app generates a timed code that the users will have to enter to authenticate themselves. For enrollment, users have to install the Microsoft Authenticator app, and configure it with ADSelfService Plus using the bar code given in the self-service portal under the Enrollment tab.
- Fingerprint authentication: Users with mobile devices containing a fingerprint sensor can use this method for identity verification. Enrollment is performed using the ADSelfService Plus mobile app. The steps to enroll are displayed under the Enrollment tab once the administrator configures this method. During multi-factor authentication, users have to scan their fingerprints, and select the Accept button for successful authentication.
- Push notifications: Push notifications are received through the ADSelfService Plus mobile app installed in the users' mobile devices. Enrollment can only be done through the mobile app. The steps are mentioned under the Enrollment tab after the administrator enables push notifications. Once enrolled, users receive a notification that they should accept in order to prove their identity.
- QR code-based authentication: When this method is enabled, users have to scan the QR code displayed in the ADSelfService Plus end-user portal using the ADSelfService Plus mobile app, and select Accept to prove their identity. Users can enroll using the app by following the steps displayed under the Enrollment tab.
- Time-based one-time password (TOTP): TOTP-based authentication is also performed using the ADSelfService Plus mobile app. After enrollment, using the app is performed similar to the methods mentioned above: Users receive a TOTP every time they have to prove their identity. They have to enter the TOTP within a specific period of time to authenticate themselves.
- Duo Security: Duo Security is an authentication solution that uses methods like:
- SMS-based verification codes
- Phone call-based verification
- App-based verification codes
- Push notifications
Once configured, users have to either enter a code that they receive or accept a notification to authenticate themselves. For enrollment, users are required to mention which method they will be using for multi-factor authentication.
- RSA SecurID: RSA SecurID is another method that uses passcodes for multi-factor authentication. For enrollment, users specify the passcode provided by the administrator. To prove their identity, users enter a one-time passcode generated via:
- A hardware token
- The RSA SecurID mobile app
- Tokens received by email or SMS
- RADIUS: RADIUS uses passcodes for multi-factor authentication. Users are automatically enrolled when the administrator configures RADIUS authentication. For multi-factor authentication, they simply have to enter the RADIUS password provided by the administrator.
- AD-based security questions: In this method, the administrator sets up Active Directory (AD)-based questions that are linked to an existing or custom AD attribute such as the Social Security number. To prove their identity, users have to enter an answer which is then compared with the attribute value in AD for their user account. If they match, the user is authenticated. This method does not require user enrollment.
- YubiKey Authenticator: Yubikey is a hardware device that uses codes for multi-factor authentication. Enrollment is done by either plugging the YubiKey device into the workstation and pressing its button (in the case of ADSelfService Plus end-user portal) or tapping it against the mobile device (in the case of ADSelfService Plus mobile app). When this is done, the code is automatically updated in the field provided in ADSelfService Plus. Users have to follow the same steps to verify their identity during multi-factor authentication.
- SAML authentication: Organizations that already use SAML-based identity provider (IdP) applications such as Okta or OneLogin can use SAML authentication as a method to verify users' identities. When SAML authentication is enabled, users are redirected to their IdP login URL for authentication only when they perform self-service password reset or account unlock in ADSelfService Plus. Enrollment is not required for this method.
How to configure multi-factor authentication
You can choose a combination of authentication techniques to verify users' identities after they have entered their usernames and passwords during Active Directory password reset or account unlock; Windows, macOS, and Linux login; and ADSelfService Plus login. Here are the steps for configuring multi-factor authentication:
- Log in to the ADSelfService Plus admin portal.
- Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
- Open the tab of the required authentication technique, and enter the necessary information.
- Click Save.
Click here for the detailed configuration steps for each authentication technique.
Need further assistance? Fill this form, and we'll contact you rightaway.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.